3

I've got an app that generates a hash off of a user password, which I then use to encrypt data with. I want to extend this to the case where any 2 out of 5 users need to authenticate the app before it has enough data to generate that hash.

The problem I've got is I need to generate the exact same hash no matter which 2 of the 5 users authenticate - since I'm encrypting with one hash only.

My main objective is to make it as secure as possible, so if there are other ways of doing the same thing please feel free to mention those as well. I'll just change the code where needed.

Improve this question

1 Answer 1

Reset to default
9

Generate a random key, encrypt it with keys derived from each of the pairs (password1, password2), (password1, password3), (password1, password4), (password1, password5), (password2, password3) etc. Then store each of these ten encryptions, so that you can look the correct one up when you are handed two arbitrary passwords.

Alternatively, instead of storing all of these pairs, use a (2,5)-secret sharing scheme (f.x. Shamir's) to split the random key and then store each of the 5 secrets encrypted with a key derived from each of the passwords.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The "secret sharing" term was the bit I was missing. Shamir's scheme seems to fit me perfectly. Thank you.
The scheme described is simple and effective when it comes to 2-of-5. Obviously it doesn't scale well, but it's a good idea for this system. :)
Shamir's should still result in a more sane solution than running permutations of passwords - especially for scaling. I don't want to do permutations when someone decides we now need 10 people with passwords :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.